On 8 April 2014, the Court of Justice of the European Union (“the ECJ”) handed down its famous judgment in the joined cases of C-293/12 Digital Rights Ireland and C-594/12 Seitlinger and Others ("Digital Rights Ireland") declaring the Data Retention Directive 2006/24/EC invalid in its entirety.
On 7 January 2015, the Luxembourg Ministry of Justice filed proposal n° 6763 modifying the Luxembourg Criminal Procedure Code and the Act of 30 May 2005 laying down specific provisions for the protection of persons with regard to the processing of personal data in the electronic communications sector, as amended (the “Proposal”), in order to comply with the aforementioned judgment and to fill the lacuna created by the invalidity of Directive 2006/24/EC.
The main objective of Directive 2006/24/EC was to oblige providers of publicly available electronic communications services or of public communications networks (the “ECS Providers”) to retain traffic and location data, as well as related data for a period of at least six months. The retention of the data was considered necessary to identify the subscriber or user, with the objective of the retention being to ensure the availability of the data for the purpose of the prevention, investigation, detection and prosecution of serious crimes, such as organised crime and terrorism.
In 2012, the ECJ was required by the High Court of Ireland and the Verfassungsgerichtshof of Austria to examine the validity of Directive 2006/24/EC in the light of both the fundamental right to respect for private life and the fundamental right to the protection of personal data.
On 8 April 2014, in Digital Rights Ireland, the ECJ ruled that Directive 2006/24/EC was invalid, particularly since:
- it covered all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception;
- it failed to set out objective criteria to determine the limit of access by the competent national authority to the data and its subsequent use;
- it imposed a retention period of at least six months, without making any distinction between the categories of data on the basis of the persons concerned or the possible usefulness of the data in relation to the objective pursued;
- it provided an inadequate protection against serious risk of abuse or loss of data, and
- it did not require that the data be retained within the EU.
The judgment created legal uncertainty for ECS Providers, particularly with regard to the question of whether national legislation implementing Directive 2006/24/EC remained in force and, if so, which data to retain and for how long.
The day after the ECJ judgment in Digital Rights Ireland, the Luxembourg Minister of Justice requested an opinion from the CNPD, the Luxembourg data protection authority, in order to assess the compliance of the Luxembourg legislation with the points raised by the ECJ.
On 13 May 2014, the CNPD published its opinion with the principal recommendation to redefine the condition for combatting serious and organised crimes and terrorism by a more appropriate qualification and incrimination of the facts that are the object of the investigation.
With a view of addressing the points raised by the ECJ in Digital Rights Ireland, and to solve the problem of legal uncertainty faced by the ECS Providers, the Minister of Justice filed the Proposal on 7 January 2015, which modifies both the Code of Criminal Procedure and the Act of 30 May 2005 laying down specific provisions for the protection of persons with regard to the processing of personal data in the electronic communications sector, as amended (the “Privacy and Electronic Communications Act 2005”).
The Proposal concerns both traffic data (Article 5 of the Privacy and Electronic Communications Act 2005) and location data other than traffic data (Article 9 of the Privacy and Electronic Communications Act 2005), and provides for four main amendments to the existing Luxembourg rules.
- The Proposal first proposes to replace the current principle of access, providing that law enforcement authorities may request access to the retained data in case of the commission of a criminal offence figuring on an exhaustive and precise list and carrying a sentence of at least one year of imprisonment. The list is inspired by the inventory of offences contained in Annex D of the Directive 2014/41/EU regarding the European Investigation Order in criminal matters, and contains various types of offenses such as crimes against the security of the State, terrorism, participation in a criminal organisation, gun trafficking, intentional injury or homicide, racism or discrimination, etc.
- Secondly, in order to comply with the ECJ's reasoning in paragraph 67 of Digital Rights Ireland, the Proposal provides that the retained data must be deleted irrevocably and without any delay at the expiration of the retention period (which is still maintained at 6 months from the date of the related communication). The Proposal also provides that the ECS Providers will no longer be allowed to store the data in an anonymized form after the expiration of the retention period.
- Thirdly, the Proposal increases the penalties – in case of non-compliance with the Privacy and Electronic Communications Act 2005 – to a sentence of six months to two years of imprisonment. According to the preparatory works of the Proposal, this increase aims at highlighting the importance of data protection legislation and to improve the dissuasive character of the Luxembourg Privacy and Electronic Communications Act 2005. Moreover, the increase will result in the possibility to obtain a warrant of committal (mandat de dépôt) against any person suspected of having committed an infringement of said law in accordance with Article 94 of the Code of Criminal Procedure.
- Fourthly, following the ECJ's arguments in paragraph 68 of Digital Rights Ireland, the Proposal obliges the ECS Providers to store the data on the territory of the European Union, in order to ensure that the EU data protection related provisions be applicable to the data at any time.
Finally, the Proposal foresees that a grand-ducal decree will be adopted in order to lay down detailed enforcement provisions ensuring the highest level of integrity and confidentiality of the data.
In placing this Proposal before the Parliament, the Ministry of Justice raises Luxembourg among the first countries legislating in order to address the issues identified by the ECJ in the Digital Rights Ireland.